Alcohol delivery app Drizly has been hit with a huge data breach affecting up to 2.5 million accounts, revealing customers’ email addresses, birthdays, encrypted passwords, and even delivery addresses. You’d hope hackers would at least have the decency to leave our liquor alone amidst this incredibly trying pandemic, but apparently nothing is sacred.
In a statement to Mashable, Drizly said it first realised customers’ data may have been compromised on July 13, and “quickly took steps to tighten security and further reduce risk of attack.”
“In terms of scale, up to 2.5 million accounts have been affected,” said Drizly. “Delivery address was included in under 2% of the records. And as mentioned in our email to affected consumers, no financial information was compromised.”
However, in addition to the information listed in Drizly’s email, TechCrunch‘s own investigation discovered customers’ phone numbers, IP addresses, and geolocation data were also compromised. Further, despite Drizly’s assertion that customers’ financial details were safe, TechCrunch uncovered a February dark web listing for a “fresh hacked” Drizly account claiming to include credit card details.
It’s unclear if this hacked account is linked to this particular breach, but either way, it ain’t good.
Drizly stated it is working with external cyber security experts and federal law enforcement to investigate the breach and determine exactly what information was compromised. “This is an ongoing investigation,” said Drizly.
In the meantime, Drizly told Mashable it has directly notified all impacted users, and asked them to change their passwords. “Because of the encryption Drizly accounts should not be able to be accessed, though to be cautious we’ve encouraged users to nonetheless change their passwords,” the statement said.
It might be a good idea to change yours even if you weren’t contacted, just to be safe.